Article5 minutes of readingCybersecurity serious game

Cybersecurity serious game : why e-learning is no longer enough

The SSI know this: their e-learning modules for cybersecurity awareness reach on average 12% of real completion beyond contractual obligation. The serious physical game does four times better. Not because it is simpler - because it requires talking together rather than listening in silence.

By Joeffrey Costa, founder of Craft Your Games · · Updated on

A French bank's SRI told me last year that his biggest frustration was not the budget - it was the Total disengagement of its employees in the face of cyber training modules. "We tried everything: videos, quizzes, phishing simulations. Everyone clicks to validate, nobody holds back." His first session of serious cyber game, organized in physics with 60 people, changed his video calln. "For the first time in three years, they were talking cybersecurity at lunch."

The physical format changes everything, but you have to design it properly. A bad serious game is worse than a good e-learning: it discredits the subject and demobilizes the teams for months.

A bad serious game is worse than a good e-learning. He discredits the subject and demobilizes the teams for months.

Why the serious game changes the game into cyber

According to ANSSI, 80% of successful cyber attacks exploit human error (phishing, low password, poor data management). Classic cybersecurity e-learning has a low engagement rate (15 to 25%) and poor retention. serious game cybersecurity well designed reverses these ratios: commitment from 70 to 90%, retention multiplied by 3, behaviour modified sustainably.

DSI and RSSI now integrate serious game into their annual awareness-raising system, in addition to simulated phishing and mandatory e-learning modules.

Effective Cyber Security Formats

Three formats work for a serious game cybersecurityThe "network defense" card game: 80 cards representing threats (phishing, ransomware, social engineering) and defenses (MFA, VPN, password management), to be played in teams. The "secure co-workers' path" board: 6 to 8 players pass a typical day with choice of behavior (click or not, open or share or not). The cybersecurity escape game: teams solve a simulated attack in 60 minutes.

The choice depends on the audience and the context: cards for short sessions in teams, tray for workshops of 1h30, escape game for events managers or tech.

Content and compliance

The content of a serious game cybersecurity must cover the 10 priority themes of ANSSI: passwords, phishing, web browsing, e-mail, USB and removable media, mobile and BYOD, telework, personal data, social engineering, incident reporting. For a technical audience (DSI, RSSI, IT teams), the attack chain MITRE ATT&CK and the EDR/SIEM mechanisms are deepened.

Craft Your Games works with cybersecurity experts to validate content before printing. Our form specify your priority themes.

3 mistakes to avoid

  1. Content too technical : a serious game for all employees must remain accessible to non-IT. Reserve the technique to specialized teams.
  2. No animation : The game without animator trained in cyber loses 50% of its educational impact.
  3. Ignore Update Threats are changing. Provide for an annual update of cards or usage cases.

Have a custom game project?

Design, manufacturing, delivery turnkey. Detailed quote within 48 hours, free and no commitment.

Request a quote in 48h

Costs and MOQ : what we don't tell you in the initial quote

The initial quote for a project serious game cybersecurity almost always hides three variables that tilt the final budget. First variable: the actual MOQ per component. A manufacturer can display an overall MOQ, but impose distinct minimums per sub-element (specific cards, soft-touch lamination, printed wooden tokens). The quote announced in overall MOQ is therefore rarely the actual quote on arrival - hence the importance of requiring a breakdown by component to assess the consistency of the costing.

Second variable: the cost of tooling dies and plates. For an offset series, the plates represent an initial investment amortized over the quantity. On small series, this tooling cost is mechanically heavier per unit - which can transform the perception of the displayed unit price. Any serious quote distinguishes the material cost, the tool cost and the labor cost. If your quote shows a single unit price without breakdown, ask for it systematically.

Third variable: post-production logistics cost. Individual cellophane, placed in master carton, palletizing, labeling, multi-site transport, insurance: these lines are regularly forgotten in the first costing. For B2B projects delivered on several French sites (typical scenario of a large group distributing its serious game cybersecurity to several regional branches), require a costed logistics simulation before signing. This precaution avoids the surprise of a final invoice higher than expected.

On the MOQ side, several economic levels structure the market: a small volume for a test project (high unit cost but controlled investment), an intermediate volume for an initial deployment (declining unit cost), a large volume for a large deployment (optimized cost), a very large volume for a multi-year strategic project (floor cost). Choosing the right level involves balancing commercial risk and economies of scale - the classic error is to aim between two levels and pay the unit cost of a small series without benefiting from a real economy of scale. For a quote tailored to your real needs, our team will get back to you within 48 hours.

The 5 classic traps to avoid on a serious cybersecurity game project

Of the hundreds of projects serious game cybersecurity that we have supported since 2018, five errors recur more often than the others. Identifying them allows you to save several weeks on the project schedule and better control the budget. Here is the list, in order of observed frequency.

Pitfall #1: briefing the manufacturer too early. Before contacting the manufacturer, four internal decisions must be made: precise target audience, context of use (meeting, trade show, kit sent), expected behavior, internal validation circuit. Without these four decisions, any quote is arbitrary - therefore useless. This error systematically generates several commercial round trips and several lost calendar weeks.

Trap #2: underestimate the internal validation time. The period announced by the manufacturer generally starts after validation of the Good to Shoot. However, the validation of the BAT (Good to Print, validation before printing) often takes more time than expected on the client side: back and forth graphics, legal validation for packaging, internal compliance verification. Anticipate this validation time in your back-planning.

Trap #3: not testing the prototype in real conditions. A prototype validated "in the office" can reveal critical defects in use conditions (room light, attention span, multi-player context). A structured test session with testers representative of the final public reveals the majority of critical defects before series production.

Trap #4: neglecting the post-manufacturing phase. Packaging, kitting, storage, split shipping: these steps represent a significant portion of the total budget but are often forgotten in the first estimates. Frame them from the initial brief to avoid unpleasant surprises at the time of delivery.

Trap #5: underinvesting in the creative brief. A creative briefing rich in visual references and textual details massively reduces the number of back and forths in the model phase. A vague brief mechanically generates significant readjustment costs and a schedule that slips. Invest time in the brief before launching manufacturing - this is the best ROI on a project. serious game cybersecurity.

Sources and references

  • INSEE — French games & toys market studies 2025
  • European standard EN71 — toy safety (EN71-1 mechanical, EN71-2 flammability, EN71-3 chemical)
  • FFJP — French federation of toy and childcare industries
  • AFNOR — responsible paper labels PEFC and FSC
  • Bpifrance study — SMEs and B2B purchasing 2026

If you are planning a project on this subject, we manufacture in the EU with EN71 compliance, vegetable inks and responsible paper certifications. Estimated quote within 48 hours.

Request a quote

To go further

Reference guide: For the complete overview, consult our guide complete guide to serious games in business.

Questions frequent

How long does a serious cybersecurity game last?

The standard format is 1h30 for a team workshop (6-12 people). Short versions in card play can take 30 to 45 minutes to fit into a meeting. Cybersecurity escape games are calibrated over 60 minutes plus 30 minutes of debriefing. The duration is chosen according to the place in the annual awareness calendar.

Does serious game replace cyber e-learning?

No, it complements it. e-learning remains useful for mandatory coverage of all employees and regulatory traceability. Serious game enhances commitment, memory and behaviour change. Both devices combine best results: 30 at a declining rate of human error incidents.

Do you need a trained host to run it?

Yes, it is recommended. A serious cybersecurity game derives its effectiveness from animation: explanation of good practices after each turn, debriefing errors, link to the context of the business. Craft Your Games provides an optional detailed facilitator guide and can train your internal facilitators in half-day.

Can we customize the game with our internal processes?

Yes, it's even recommended. The serious game becomes more relevant when it integrates your tools (Slack, Teams, VPN, internal password manager), your procedures (signally incident, access request) and your actual anonymized cases. This customization represents 30 to 40% of the content and makes all the educational difference.

What volume for a national deployment?

For a company of 1,000 to 5,000 employees with animation per site, count 30 to 100 games according to the geographical mesh. For a team deployment (1 game for 10 people), 100 to 500 games. Craft Your Games manufactures in the EU from 100 units with delay 6 to 8 weeks for this type of project.

What time frame should a serious cybersecurity game project take?

For a serious cybersecurity game project in standard series (300 to 1,000 copies), count 6 to 8 weeks since the validation of the estimate: 2 weeks of model validation and good to draw, 3 to 4 weeks of manufacturing, 1 week of finishing and packaging. Urgent projects can be accelerated to 4 weeks with an extra cost for workshop priority and parallel validation.

What is the minimum order quantity (MOQ) for serious cybersecurity game project?

The technical MOQ of a serious cybersecurity game project starts with 50 copies (digital) or 250 copies (offset). The economic MOQ - the one where the unit cost becomes reasonable - is instead about 300 copies. Below 100 copies, the unit cost is usually 3 to 5 times higher than a 1,000-tier.

Can we order a serious cybersecurity game prototype before the show?

Yes, and we highly recommend it on any project of more than 500 copies. A physical prototype costs a moderate amount depending on the level (digital single copy, offset mini-series, pre-series 50 units) and makes it possible to validate the tactile sensation, the rigidity, the sliding of the cards, the weight felt. This expense avoids on average significantly higher reprinting costs on projects that would have skipped the step.

Is the serious cybersecurity game project CSR compliant?

Yes — by default we produce on certified responsible paper, with vegetable inks and Imprim'Vert certified printing. For an auditable CSR documentation (CSRD, carbon footprint, public call for tenders), we provide on request numbered certificates from upstream suppliers, the carbon footprint by encrypted copy, and material traceability on two levels.

How to integrate a serious cybersecurity game project into a global B2B strategy?

A serious cybersecurity game project works better when it is part of a global device: onboarding kit for newcomers, animation of trade shows, VIP customer gift, recurrent educational support. Profitability is optimal when the same game serves 3 to 5 different contexts - which means calibrating content and format from the initial brief.

Quote 48h